Messaging app Freedom Chat exposes user phone numbers and more - here's what we know

News
By published

A patch was released to fix the bugs

  • Freedom Chat exposed user phone numbers and PIN codes due to two major security flaws
  • A misconfigured server let attackers brute‑force phone numbers, while a second bug leaked PINs to everyone in a default public channel
  • After media escalation, the company patched the issues and forcibly reset all user PINs

Messaging app Freedom Chat reportedly carried two major security vulnerabilities which allowed malicious actors to expose user phone numbers and PIN codes, experts have reported.

Security researcher Eric Daigle rebealed Freedom Chat suffered from the same misconfiguration as WhatsApp, when it exposed phone numbers of 3.5 billion users.

The app’s servers allow anyone to try and guess user phone numbers indefinitely, to see if they’ll get a match.

Resetting PINs

The second bug leaked people’s PIN codes. Daigle said he used an open source network traffic inspection tool to analyze the data moving through the app, and found that the app would respond with the PIN code of every user in the same public channel, even if the app users couldn’t see the codes.

Daigle claims that anyone subscribed to the default Freedom Chat channel had their PIN broadcast to everyone else. Unfortunately enough, everyone who signs up is automatically subscribed to this channel, meaning if someone got ahold of their device, they could easily unlock the app.

To make matters worse, if we assume people use the same PIN code across multiple services, this could put other apps and tools at risk, as well, including credit cards, crypto wallets, and social media accounts.

Fortunately, unlike WhatsApp, who counts its users in the billions, Freedom Chat is a newly released app which has roughly 2,000 users.

Daigle tried reaching out to Freedom Chat but since there is no official way to report bugs, he was unable to get the company’s attention. However TechCrunch succeeded by reaching out directly to founder Tanner Haas - who later confirmed the company released a new version and reset everyone’s PINs.

“A critical reset: A recent backend update inadvertently exposed user PINs in a system response," the company said on its app store update page.

"No messages were ever at risk, and because Freedom Chat does not support linked devices, your conversations were never accessible; however, we’ve reset all user PINs to ensure your account stays secure. Your privacy remains our top priority."

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.